ICMP Re-Direct
yeti-code opened this issue · comments
I'm on an OpenVPN connection for an HTB box. I have a SOCKS5 proxy as well on the target machine.
Trying to run responder to capture LLMNR hashes.
I'm getting this output, then the file errors out.
(root💀kali)-[/opt/Responder]
└─# python3 Responder.py -I tun0 -A
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.1.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [OFF]
NBT-NS [OFF]
MDNS [OFF]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [ON]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.23]
Responder IPv6 [dead:beef:2::1015]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-T35KGYMVY0Z]
Responder Domain Name [YAO3.LOCAL]
Responder DCE-RPC Port [47671]
[+] Listening for events...
[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.14.23) is not on the same subnet than the DNS server (75.75.75.75).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.
[Analyze mode: ICMP] You can ICMP Redirect on this network.
[Analyze mode: ICMP] This workstation (10.10.14.23) is not on the same subnet than the DNS server (75.75.76.76).
[Analyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details.
Traceback (most recent call last):
File "/opt/Responder/Responder.py", line 383, in <module>
main()
File "/opt/Responder/Responder.py", line 274, in main
from poisoners.LLMNR import LLMNR
File "/opt/Responder/poisoners/LLMNR.py", line 50, in <module>
IsICMPRedirectPlausible(settings.Config.Bind_To)
File "/opt/Responder/poisoners/LLMNR.py", line 44, in IsICMPRedirectPlausible
if x != "127.0.0.1" and IsOnTheSameSubnet(x,IP) is False:
File "/opt/Responder/utils.py", line 104, in IsOnTheSameSubnet
ipaddr = int(''.join([ '%02x' % int(x) for x in ip.split('.') ]), 16)
File "/opt/Responder/utils.py", line 104, in <listcomp>
ipaddr = int(''.join([ '%02x' % int(x) for x in ip.split('.') ]), 16)
ValueError: invalid literal for int() with base 10: '2001:558:feed::1'
My guess: looks like https://github.com/lgandx/Responder/blob/master/utils.py#L102 may only support IPv4 and your environment is providing an IPv6 address?
@decidedlygray is correct, this is similar to Issue #152 . There is an IPv6 address in your /etc/resolve.conf file. To work around this you can comment out/delete that address from your /etc/resolve.conf (which will affect the whole system) OR not use Analyze mode (-A) as that's the only time it gets checked OR I've patched it in Pull Request #232 so that LLMNR.py will check if the DNS is an IPv6 address before sending it to utils.py and if it is IPv6 it gets skipped. As this whole thing is just a check to see if the tools/ICMP-Redirect.py script might work (which also does not yet support IPv6) it can probably be safely ignored for now.